Here's my scenario. I have multiple sites with both a Comcast ENS connection and a broadband Internet connection. Comcast is setup on LAN1 and broadband is on WAN1. At our main site we have additional 500MB dedicated Internet circuit. We want to route all Internet traffic back through the main site via Comcast connections and use the broadband only in a failover scenario (VPN).
Is this possible and if so what's the best way to achieve this?
Interesting question, I would assume you could use the main hub as the Exit Hub for all branches, and setup SD-WAN at the branches to egress locally if the VPN goes down on the main tunnel.
Worth a trial
I'm still in testing in a lab environment so I'll give this a try. I haven't setup any of the VPN yet but do have the static routes working for all of our vlans between sites so this was my next step to figure out.
I may have gotten it wrong, you are NOT using VPN over the Metro Links?
In re-reading I did get it wrong. You are using the LAN port for your Metro link not WAN 1 and 2, so I assume no VPN. That changes everything...
OK everything I said won't work 🙂
This requires a little more thought, I assume you are using the static (while next hop responds to ping) for the MetroNet, (but not having it on any VPN's) are you also advertising the Hub LAN subnets over VPN's on the backup link?
I have had issue before thinking traditionally with Meraki gear like having a high cost static if dynamic routing fails; it works just the opposite. Without "cost" on static routing this becomes difficult, do you have dynamic routing behind the MX?
I don't think you can achieve all you want to; you can have the internal networks work the way you wish ( go to hub, then fail to vpn), but if the next hop is up but the path is down the VPN will never kick in (blackhole)
The other issue is ALL traffic, you can't really advertise the default routing in multiple scenarios; over the static route, then over the VPN efficiently, you still have a blackhole possibility.
Is VPN'ing over the Metro network an option? Both ports in WAN 1 and 2 gives you the most options
On the S2S page for the Branch you will see an Exit Hub there (in Mesh) select your Egress Hub. Then setup SD-WAN with your VPN ISP connection as the primary, it should fail to secondary if primary goes down.
I haven't tried this exact config, but the Exit Hub has saved me with a few weird ISP issues
The solution provider by @ww works - where you run AutoVPN over both the MetroE and Internet circuits.
Your treat the MetroE and Internet circuits as dumb bandwidth and configure SDN to provide the policies you want.
A complete, seamless failover will work if and when you are using both the ISP connections on both the uplinks on the MX. The way MPLS to VPN failover works, there might be some cases where the configured pinger will be pingable but the actual connection is failed down the line.
When you are using both the ISP connections on the two uplinks on the MX, you will get granular control with Meraki SD-WAN policies to control which traffic should go where and the failover will be seamless.